About me 



Head Geek of Technical Security Services at KPMG Australia 

App security specialist for a bit over a decade, IT for two, geek since 
birth 



Frequent long e-mailer tl;dr 
Frequent speaker at conferences 

OWASP Developer Guide 2.0 
• OWASP Top 10 2007 

OWASP Application Security Verification Standard 2.0 
OWASP Developer Guide 201 3 

Loves coffee, cats, computers, and my daughter 

+Andrew van der Stock 
@vanderaj 
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Critical data assets are stored and processed 
by applications 

No one has a good handle on where these 
critical data assets exist 

Application security is woeful 
Missing controls 

• Unused controls 

• Ineffective controls 

Shrinking and wasted budgets 



Risk averse organizations: 

• Accept unknown risks 

Refuse to appropriately assess risks 

• Accept unacceptably high risks 
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Common Industry Practice 



Zero knowledge 

No credentials 

Production testing 

Out of hours 

(Extremely) time limited 

(Extremely) scope constrained 

(Extremely) tight rules of engagement 

Noisy 

No social engineering 

Not aligned with business 

Not aligned with risk management 
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Zero knowledge 
No credentials 
Production testing 

(whenever they want) 

(for as long as they w, , 
(all systems in any I 

(no rules of engagement) 
(as quiet as possible) 

("Hi, I'm from tech support") 
Not aligned with business 
-Not aligned with risk management 
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Hierarchy of hazard control 





Elimination 



Substitution 



"Engineering 
controls 



We have 
been here 
since 1995 
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W PPE 



"Administrative 
controls 
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Security testing in the dark ages 
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OWASPTopIO 



OWASPTop10 2010 


OWASPTopIO 2013 


A1 Injection 


A1 Injection 


A2 Broken authentication and session management 


A2 Broken authentication and session management 


A3 Cross-site scripting 


A3 Cross-site scripting 


A4 Insecure direct object references 


A4 Insecure direct object references 


A5 Cross-site request forgery 


A5 Security misconfiguration 


A6 Security misconfiguration 


A6 Sensitive data exposure 


A7 Insecure cryptographic storage 


A7 Missing function level access control 


A8 Failure to restrict URL access 


A8 Cross-site request forgery 


A9 Insufficient transport layer protection 


A9 Using known vulnerable components 


A10 Unvalidated redirects and forwards 


A10 Unvalidated redirects and forwards 
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OWASP Top 10 - The right way 



OWASP Top 1 201 3 OWASP Proactive Controls 


A1 Input validation and output encoding 


A1 Authentication 


A2 Authentication and session management 


A2 Access control 


A3 Input validation and output encoding 


A3 Validation 


A4 Access contrc^^^^^^^^^^^H 


A4 Encoding 


A5 Configuration 


A5 Data protection 


A6 Access control* data protection 


A6 Secure requirements, architecture and design 






A7 Configuration 


A7 Access control 


A8 Access control 


A8 Business limits 






A9 Accountability 


A9 Configuration 




A10 Input validation and access control 




A10 Assurance 
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OWASP Application Security Verification Standard 2.0 (draft) 



OWASP ASVS Business Logic Requirements (BL) 
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Verify the application processes or verifies all high value business logic flows in a trusted 
environ m ent, su ch a s on a p r o te cte d an d m on ito reds er ver. 
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BL.2 


Verify the application does not allow spoofed high value transactions, such as allowing 
Attacker User A to process a transaction as Victim User B by tampering with or replaying 
session, transaction state, transaction or user IDs. 
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BL3 


Verify the application does not allow high value business logic parameters to be tampered 
with, such as [but not limited to]: price, interest, discounts, PII, balances, stock IDs, etc. 
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BL4 


Verify the application has defensive measures to protect against repudiation attacks, such 
as verifiable and protected transaction logs, audit trails or system logs, and in highest 
value systems real time monitoring of user activities and transactions for anomalies. 
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BL.5 


Verify the application protects against information disclosure attacks, such as direct 
object reference (see also V4.7) tampering, session brute force or other attacks. 
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BL.6 


Verify the application has sufficient detection and governor controls to protect against 
brute force (such as continuously using a particular function] or denial of service attacks. 
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BL.7 


Verify the application has sufficient access controls to prevent elevation of privilege 
attacks, such as allowing anonymous users from accessing secured data or secured 
functions, or allowing users to access each other's details or using privileged functions. 
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OWASP Developer Guide 



Application security dictionary for developers 

Re-write with a new team 

Larger. Much larger. 

Aligned with the Proactive controls and Application Security Verification 

Standard 
Maximal adherence policy - ISO 27002, 27034, COBIT 5, PCI DSS 
Evidence based 

Controls should be in place, effective and used 
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Need help! 
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Binder Collections Layouts 
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HOE 

Compose Keywords QuickRef 



DUB 

-orrment Wrap Compile 



|~Cy Or All (Exact Phrase) 

Find Synopsis Search 
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line Kage 
I Dedication 
Copyright and Licence 
(j^ Authors 
ID Revision History 
[] Contents 
[] Foreword 

▼ 1^ Introduction 

g| About the Open Web .. 
|F| Introduc 

Q Security fundamentals 

□ Policies, Standards, 
D Risk manage nrr 
El Secure 5DLC 

D Agile Security 
(Zl Waterfall Security 
S Training 

□ Acquiring si 
Design 
B Principles of security... 

Requirements 
Q Secure Architecture 
Q Detailed Design 
Q Common business us... 
Build 

Q Secure development e... 
[] Secure build environment 
[] Authentication 
|_| Session management 

Q In pjt validation 
[] Output encoding 
Q Business logic 
D Cryptography 
D Accountability 
D Data Protection 
Ei Memory 
EJ Files 

□ Concurrency 

▼ Q Assurance 

Q Assurance management 
Q Coding standards 

□ IDE Helpers 
[] Secure architecture re... 
Q Secure desigi 
|_| Peer reviews 
Q Cod« 
[] Use and Abuse Cases 

□ Unit tests 
h il+ <!■■ 



IT:|rBTTTin|LP|s|g| = ||[ 



■• 1 1 



Q-^ 



' Security fundamentals 



Setting up a secu: 
development proje< 
Acquiring 




No Label 



No Status 
21/05/2013 11:48 PM 
Include in Compile 
Page Break Before 

Notes 
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Developer Guide 2013 




Software 
assurance 



Business 
logic 



Cryptograp 
hy 

' Accountab i' 
lity, error 
handling 



Data 
protectioi 



- Memory 



Access 
control 




Design 
reviews 








Input 
validation 




Peer 
reviews 








Output 
encoding 




Code 
reviews 



Use and 
abuse 
cases 



Denial of 
Service 



Enable secure business 





Identity and 

access 
management 






Security testing at enterprise scale - * Rapid Risk Assessment Program 29/05/23 



Agile development lifecycle 



Humans 



Vision 





Contracts 



Product 
Backlog 




Security 




Cyber 
Defense 



Security testing at enterprise scale - * Rapid Risk Assessment Program 29/05/13 22 



Establish a plan 



It's your money, it's your plan 

Strong human centric business processes 
Automate, automate, automate 
Metrics, metrics, metrics 

Compare apples with apples 

Work with vendors to use YOUR program and your plan 

No more excuses - unacceptable risks 

- eliminate poor security (no more XSS, no more SQL injection) 
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Integrate tightly with the business 
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On staffing 



We are in a drought of qualified application security staff 

Not hackers 

Need more software engineers with a security major 

Need to attract women to our profession 

Need to attract creative, evil, methodical thinkers 

Easy to train staff in fraud, privacy, and security topics 
Hard to impossible to retain staff once trained, so ... 
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Time to retire grand dad's information security policy 
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Do what you need to, no more 



On optimization: "The best I/O is the one you didn't take" 

Evidence based policy, standards 

It's 201 3. Rethink or eliminate all 1 970's thinking 

Policy must work for Gen Y and millennial. Or they will continue ignoring you 

Eliminate any policy and standards you yourself can't stomach 

Automate 

Measure 

Refine 

If you do application development right, penetration testing should be a validation 
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WRRAP 



Just because you have a tool, 
does not make you a Jedi 
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Approach 

Webapp Rapid Risk Assessment Program (WRRAP) overview 



Remediation 
plan 



Draft 

Summary 

report 



Agree 

application 

list 



WRRAP 
approach 
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Confirm 
findings 



Approach 

WRRAP Work Plan 



Elevation of 
Privilege 



Fraud 




Business 
logic flaws 







Summary of WRRAP Testing 



Business logic testing case study: 

• 25% of all applications had business logic 
flaws 

• Business logic flaws allows remote 

attackers to: 

-Perform financial fraud 

-Spoof transactions as other users 

-Tamper highly sensitive data 

-Disclose highly sensitive information 

-Elevate privileges to be administrators or 

customer service personnel or other customers. 



Business Logic Flaws 



Medium 3 



Critical 11 




High 11 



Challenges 



1. Incident management smarts 

2. Lack of practice management software 

3. Do not let "perfect" get in the way of "good" 

4. Time management 

5. Finding too many technical issues by accident 

6. Reporting 



ThreadFix 



OpenSAMM Maturity Survey 

Team: DEECD 
User: vanderaj 
Date: 2013-01-24 01:08:19.0 



Logged in as: vanderaj | Toggle Help | Logout 



Rankings 

Practice 

Governance 



Ranking + 1 



Strategy & Metrics 
Policy & Compliance 
Education & Guidance 
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Construction 


Threat Assessment 
Security Requirements 
Secure Architecture 


V* 


Verification 


Design Review 
Code Review 
Security Testing 


vP 


Deployment 


Vulnerability Management 
Environment Hardening 


1 + 
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Establish your program 

Stop "testing" for the sake of testing 
Stop adhering to 40 year old nonsense 

Develop a security program not a testing program 
Enable secure business by integrating closely with them 
Establish the right team 
Do only evidence based controls 

Monitor both pets and cattle 

Care for pets, but not cattle 

Make cattle very tough self defending bovines 
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Thank you! 




PmM +Andrew van der Stock 



^f @vanderaj 
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vanderai(a)owasp.orq 




avstock(a)kpmq .com.au 
0451 057 580 
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